Apache2 update not showing up.

6 posts / 0 new
Last post
#1 Sat, 01/14/2017 - 18:22
Kryolyt

Apache2 update not showing up.

Hello,

I'd like to update apache to the latest stable version 2.4.25 (released 2016-12-20).

Apt tells me that apache is already at the latest version. However, currently I only have Apache 2.4.10 installed. Afaik there are some vulnerabilities prior to 2.4.16 that I'd like to avoid.

My sources.list:

main sources

deb http://debian.intergenia.de/debian/ jessie main contrib non-free deb-src http://debian.intergenia.de/debian/ jessie main contrib non-free

deb http://httpredir.debian.org/debian jessie main deb-src http://httpredir.debian.org/debian jessie main

deb http://httpredir.debian.org/debian jessie-updates main deb-src http://httpredir.debian.org/debian jessie-updates main

security

deb http://debian.intergenia.de/debian-security/ jessie/updates main contrib non-free deb-src http://debian.intergenia.de/debian-security/ jessie/updates main contrib non-free

deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main

deb http://software.virtualmin.com/gpl/debian/ virtualmin-jessie main

Running Debian 8 Jessie on Linux 3.16.0-4-amd64

Thanks for any tips.

Sat, 01/14/2017 - 19:00
Diabolico
Diabolico's picture

Apache 2.4.10 is default version for Debian 8. Now not sure with Debain but i suspect it should be the same as for Centos, so all patches will be backported to your version. In case you really need 2.4.25 (but why?) then you must uninstall current version and install the one you want. Just pay attention - in most cases it will not work "out of the box" and you can expect a lot of problems.

You should really read and learn before you start any change or pursuing some magical version numbers.

For example: https://www.debian.org/News/2016/20160917

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 01/14/2017 - 19:17 (Reply to #2)
Kryolyt

Hi, thanks for the reply.

As far as I know apache versions prior to 2.4.16 allow distributed denial of service attacks over the mod_lua module. Same vulnerabilities can be found in the red_request and apt_some_auth_required functions. Additionally versions prior to 2.4.12 allow attackers to crash the daemon with a handle_readers vulnerability when FastCGI is used. There are some more vulnerabilities that would, however, not affect my server so I didn't pursue them.

source: http://httpd.apache.org/security/vulnerabilities_24.html

I thought security updates would always be included in the Debian security repo.

I guess I'll stay with 2.4.10 then.

Sat, 01/14/2017 - 19:42
Diabolico
Diabolico's picture
I thought security updates would always be included in the Debian security repo.

They will, like i said all patches and bug-fixes will be backported to 2.4.10. So as long as you have Debian 8 your Apache version will most likely not change, but will be updated with all patches against all bugs and vulnerabilities. This is done to get stable OS where software version will not (often) upgrade, otherwise with every change you would get even more bugs or exploits to patch.

You cant just read something and automatically apply as fact. First you should learn about your OS and then see if some suggestions can apply to your situation or not.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 01/14/2017 - 19:45 (Reply to #4)
Kryolyt

Oh, I see. Thanks for the post. Good to know

Sat, 01/14/2017 - 20:42
andreychek

Howdy,

Yeah as Diabolico mentioned distro's backport fixes into the software versions they ship. For stability reasons, they don't make major version changes to their software.

What you may want to do, is look for the "CVE" number associated with the vulnerability you wish to look into, and then just Google it. For example, looking at the security list you mentioned, mod_lua has a vulnerability there described as "mod_lua: Crash in websockets PING handling". The CVE number for that is "CVE-2015-0228".

If you were to Google "debian CVE-2015-0228", that brings up this Debian report showing that it's been corrected:

https://security-tracker.debian.org/tracker/CVE-2015-0228

Hopefully that helps!

-Eric

Topic locked